1

I am creating a login page where user and admin will log in user will have role = user, and status = pending until admin will make it active. I have different files to display for user and admin and within the user, 2 files are there. 1 for an active user and another for the pending user.

I created if statements and tried switch statement as well. but I am getting an error on XAMPP "Parse error: syntax error, unexpected end of file in C:\xampp\htdocs\MakerLab\server.php on line 109"

here is my server.php

...

<?php 
    session_start();

    // variable declaration
    $email = "";
    $status = "";

    $errors = array(); 
    $_SESSION['success'] = "";

    // connect to database
    $db = mysqli_connect('localhost', 'root', '', 'makerlab');

    // REGISTER USER
    if (isset($_POST['reg_user'])) {
        // receive all input values from the form
        $fname = mysqli_real_escape_string($db, $_POST['fname']);
        $lname = mysqli_real_escape_string($db, $_POST['lname']);
        $email = mysqli_real_escape_string($db, $_POST['email']);
        $lewisID = mysqli_real_escape_string($db, $_POST['lewisID']);
        $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
        $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

        // form validation: ensure that the form is correctly filled
        //if (empty($email)) { array_push($errors, "Lewis Email is required"); }
        //if (empty($password_1)) { array_push($errors, "Password is required"); }

        //if ($password_1 != $password_2) {
        //  array_push($errors, "The two passwords do not match");
        //}

    $user_check_query = "SELECT * FROM users WHERE lewisID='$lewisID' OR email='$email' LIMIT 1";
    $result = mysqli_query($db, $user_check_query);
    $user = mysqli_fetch_assoc($result);

    if ($user) { // if user exists
    if ($user['lewisID'] === $lewisID) {
    array_push($errors, "lewisID already exists");
    }

    if ($user['email'] === $email) {
    array_push($errors, "lewisID already exists");
    }
    }

        // register user if there are no errors in the form
        if (count($errors) == 0) {
            $password = md5($password_1);//encrypt the password before saving in the database
            $query = "INSERT INTO users (lewisID,
                                        fname, 
                                        lname, 
                                        email, 
                                        password) 
                        VALUES('$lewisID',
                                '$fname', 
                                '$lname', 
                                '$email',
                                '$password')";
            mysqli_query($db, $query);
            $_SESSION['fname'] = $fname;
            $_SESSION['email'] = $email;
            header('location: pend.php');


    // ... 

    // LOGIN USER
    if (isset($_POST['login_user'])) {
        $email = mysqli_real_escape_string($db, $_POST['email']);
        $password = mysqli_real_escape_string($db, $_POST['password']);

        if (empty($email)) {
            array_push($errors, "Lewis Email is required");
        }
        if (empty($password)) {
            array_push($errors, "Password is required");
        }

        if (count($errors) == 0) {
            $password = md5($password);
            $query = "SELECT * FROM users WHERE email='$email' 
            AND password='$password'";

            $results = mysqli_query($db, $query);

            if (mysqli_num_rows($results) == 1) {
                $_SESSION['email'] = $email;
                $row['status'] = $status;
                $row['role'] = $role;
                if ($status == "Pending" )
                {
                    header('location: pend.php');
                }
                else if ($status == "Active" || $role == "user" )
                {
                    header('location: AccountMain.php');
                }
                else if ($status == "Active" || $role == "admin" )
                {
                    header('location: admain.php');
                }
            } else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }

?>

...

Zaheem Hasan
  • 21
  • 4
  • 1
    Please be aware that you're vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection), and should use [**prepared statements**](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) to prevent this. In addition to this, `md5()` is [**highly insecure**](http://php.net/manual/en/function.md5.php) (even with a salt) and should **NOT** be used for password storage. Instead, you should consider [**`password_hash()`**](http://php.net/manual/en/function.password-hash.php) and [**`password_verify()`**](http://php.net/manual/en/function.password-verify.php). – Obsidian Age May 06 '19 at 22:05
  • Thank you. I will work on it next. I need help with if statement – Zaheem Hasan May 06 '19 at 22:07
  • It also seems as though your error comes from missing a `}` (for `if (count($errors) == 0)`); it would be easier to confirm this with use of proper indentation. – Obsidian Age May 06 '19 at 22:07
  • Some programs for writing code, Notepad++ for example if you click on a { it will show you where it considers the matching } to be located – SpacePhoenix May 06 '19 at 22:30
  • Yes. I am using Notepad++ and it does show all matching but I added 2 brackets and it took and but now complaining about the role being undefined at line 89 92 94 – Zaheem Hasan May 06 '19 at 22:33

1 Answers1

0

You are missing 2 brackets at the end of the file (before ?> tag) Next time you can use an IDE like PHPStorm that helps with the indentation and format. 

<?php

// variable declaration
$email = "";
$status = "";

$errors = array();
$_SESSION['success'] = "";

// connect to database
$db = mysqli_connect('localhost', 'root', '', 'makerlab');

// REGISTER USER
if (isset($_POST['reg_user'])) {
    // receive all input values from the form
    $fname = mysqli_real_escape_string($db, $_POST['fname']);
    $lname = mysqli_real_escape_string($db, $_POST['lname']);
    $email = mysqli_real_escape_string($db, $_POST['email']);
    $lewisID = mysqli_real_escape_string($db, $_POST['lewisID']);
    $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
    $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

    // form validation: ensure that the form is correctly filled
    //if (empty($email)) { array_push($errors, "Lewis Email is required"); }
    //if (empty($password_1)) { array_push($errors, "Password is required"); }

    //if ($password_1 != $password_2) {
    //  array_push($errors, "The two passwords do not match");
    //}

    $user_check_query = "SELECT * FROM users WHERE lewisID='$lewisID' OR email='$email' LIMIT 1";
    $result = mysqli_query($db, $user_check_query);
    $user = mysqli_fetch_assoc($result);

    if ($user) { // if user exists
        if ($user['lewisID'] === $lewisID) {
            array_push($errors, "lewisID already exists");
        }

        if ($user['email'] === $email) {
            array_push($errors, "lewisID already exists");
        }
    }

    // register user if there are no errors in the form
    if (count($errors) == 0) {
        $password = md5($password_1);//encrypt the password before saving in the database
        $query = "INSERT INTO users (lewisID,
                                    fname, 
                                    lname, 
                                    email, 
                                    password) 
                    VALUES('$lewisID',
                            '$fname', 
                            '$lname', 
                            '$email',
                            '$password')";
        mysqli_query($db, $query);
        $_SESSION['fname'] = $fname;
        $_SESSION['email'] = $email;
        header('location: pend.php');
    }
}

// ...

// LOGIN USER
if (isset($_POST['login_user'])) {
    $email = mysqli_real_escape_string($db, $_POST['email']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    if (empty($email)) {
        array_push($errors, "Lewis Email is required");
    }
    if (empty($password)) {
        array_push($errors, "Password is required");
    }

    if (count($errors) == 0) {
        $password = md5($password);
        $query = "SELECT * FROM users WHERE email='$email' 
        AND password='$password'";

        $results = mysqli_query($db, $query);

        if (mysqli_num_rows($results) == 1) {
            $_SESSION['email'] = $email;
            $row = mysqli_fetch_assoc($results);
            $status = $row['status'];
            $role = $row['role'];
            if ($status == "Pending") {
                header('location: pend.php');
            } else if ($status == "Active" || $role == "user") {
                header('location: AccountMain.php');
            } else if ($status == "Active" || $role == "admin") {
                header('location: admain.php');
            }
        } else {
            array_push($errors, "Wrong username/password combination");
        }
    }
}
?>
Elminson De Oleo Baez
  • 580
  • 5
  • 13
  • Thanks, @Elminson De Oleo Baez. I added them and it brings the website but now I am not able to log in. I tried with an active and pending user and it does not do anything. just takes me back to login page – Zaheem Hasan May 06 '19 at 22:15
  • The problem is that your login_user section is inside the reg_user I will edit my answer and then you can test again – Elminson De Oleo Baez May 06 '19 at 22:25
  • You can test now with the new code @ZaheemHasan – Elminson De Oleo Baez May 06 '19 at 22:27
  • Thanks. I tried but now its complaining about role variable that it is undefined. I have a column in my database name "role" – Zaheem Hasan May 06 '19 at 22:31
  • Your problem is that you are accessing the variable `$role` which is undefined `$row['role'] = $role;` so you have to inverts this to `$role = $row['role'];` – Elminson De Oleo Baez May 06 '19 at 22:39
  • The same with `$row['status'] = $status;` should be `$status=$row['status'];` also missing `$row = mysqli_fetch_assoc($result);` line 87 I will update my answare again and you can do a diff to see the differences. – Elminson De Oleo Baez May 06 '19 at 23:00
  • Yes, I made the correction on status as well. Thanks a lot for your help! I once used fetch and it did not like it either so I 'll try your way – Zaheem Hasan May 06 '19 at 23:02
  • I can log in as an active and pending user and it shows appropriate file but for active admin, it shows AccountMain.php which it should show admain.php – Zaheem Hasan May 06 '19 at 23:37
  • Your problem is the second statement Line 93 and 95 (with the || ) is true in the first statement so you should change . || by `&&` – Elminson De Oleo Baez May 06 '19 at 23:53
  • should look like this `if ($status == "Pending") { header('location: pend.php'); } else if ($status == "Active" && $role == "user") { header('location: AccountMain.php'); } else if ($status == "Active" && $role == "admin") { header('location: admain.php'); }` – Elminson De Oleo Baez May 06 '19 at 23:54
  • Yes, I see that I used the wrong operator. Thanks a lot, It worked – Zaheem Hasan May 07 '19 at 00:44
  • Excellent, please mark my answer as correct and arrow up your welcome! – Elminson De Oleo Baez May 07 '19 at 01:02